"last" command indicates someone logged in for 00:00 – was our server compromised?

Philip Brocoum asked:

I noticed the following weird entry from my “last” command from an IP address in Romania:

user pts/0   Sat Jul 28 12:48 - 12:48  (00:00)

I’m wondering if that means I was hacked? But it says they logged in for 0 minutes, does that mean they failed? I can’t find the answer in the man pages.

My answer:

That appears to be a successful login lasting for less than one minute. The last command only shows successful logins by default.

You can confirm it by examining your system logs (e.g. /var/log/messages and /var/log/audit/audit.log) and looking for login and logout events.

I recently had a chance to examine a compromised machine, and the compromise followed a similar pattern. After the first successful compromise, the attacker may simply make note of your server’s information to be passed along later to other criminals. If your system remains open, expect logins over the next few days from all over the world.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.